Skip to content
/ script2exe_dumper Public

IDA Python script to decrypt and dump plaintext VBS scripts from script2exe packed executables

6 stars 3 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

PolitoInc/script2exe_dumper

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
README.md
README.md
 
 
script2exe_unpacker.py
script2exe_unpacker.py
 
 

Repository files navigation

Recently we were provided a malware sample that contained some interesting strings that indicated it was packed with script2exe. Script2exe is a utility that can take a VBScript file and pack it into an executable. It is not in and of itself malicious, but can be used to package scripts that can do bad things. For this reason, many antivirus engines detect script2exe files as malicious regardless of their actual function. Use caution when investigating AV or EDR alerts on script2exe based malware.   Script2exe functions by packaging the original VBScript as an encrypted resource within a PE stub. The original script is retained in the EXE stub's resources section as a Bitmap resource numbered "129" after it is encrypted with RC4. Upon execution of the PE Stub, the resource is loaded into memory, decrypted, and executed.Script2exe Dumper

This is an IDA Python script that will run a script2exe packed script in a debugger and will dump out the RC4 encryption key and the plaintext version of the VBScript for analysis.

Tested on IDA 6.95.

More information is available on our blog https://www.politoinc.com/single-post/2017/11/03/Unpacking-script2exe-Malware

About

IDA Python script to decrypt and dump plaintext VBS scripts from script2exe packed executables

Resources

Readme
Activity
Custom properties

Stars

6 stars

Watchers

5 watching

Forks

3 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages